Beyond Internet security to risk management

August 06, 2007

ROI v. NPV v. Risk Management

There's been some comment discussion in
about security ROI.
Ken Belva's point is that you can have a security ROI,
to which I have agreed (twice).
Iang says he's already addressed this topic, in a blog entry
in which he points out that

Calculating ROI is wrong, it should be NPV. If you are not using NPV
then you're out of court, because so much of security investment is
future-oriented.

Iang's entry also says that we can't even really do Net Present Value (NPV)
because we have no way to calculate or predict actual costs with any
accuracy.
He also says that security people need to learn about business,
which I've also been
harping on.
I bet if many security people knew what NPV was, they'd be claiming
they had it as much as they're claiming they have ROI.

My point remains that this whole emphasis on calculation is
part of the problem.
Security people tend to be engineers, whose whole orientation
is to be able to build, fix, and calculate to do so.
To
quote PricewaterhouseCoopers again:

``But what about those areas, like reputational risk, that are both
harder to measure and more sudden and severe in their impact?''

Banks and financial institutions that have been dealing with financial
risk for centuries are still having some trouble admitting that
some risks can't be prevented, fixed, or even accurately predicted:
only mitigated.
Increased measurement and better detailed calculation will shift
which risks can be handled which way,
but there will always be risks that are uncertain, big, and sudden.
Both security people and business executives need to get used to
dealing with them.
Those who don't, well, their companies will be like U.S. automakers
trying to catch up and produce hybrid cars, or like most airlines
trying to catch up to Southwest, which spent money
to hedge its fuel prices even though it couldn't predict
exactly how much that would save or when.

Risk management isn't just about calculation.
It's not just about tactics.
It's also about strategy.

Jared Diamond: Collapse: How Societies Choose to Fail or SucceedThe author examines societies from the smallest (Tikopia) to the largest (China) and why they have succeeded or failed, where failure has included warfare, poverty, depopulation, and complete extinction. He thought he could do this purely through examining how societies damaged their environments, but discovered he also had to consider climate change, hostile neighbors, trading partners, and reactions of the society to all of those, including re-evaluating how the society's basic suppositions affect survival in changed conditions.